Reading Room

Subscribe to SANS Newsletters

Analyst Papers

Featuring 329 Papers as of December 17, 2018

To download the Analyst Papers, you must be a member of the SANS.org Community. Upon joining the community, you will have unlimited access to Analyst Papers and all associated webcasts, including the ondemand version where you can download the slides.

Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.

This paper highlights the best-in-breed features of Swimlane: its ease of use, customizability, role-based access control and current technology integrations. We put Swimlane through its paces in a triage of a typical phishing email, applying the concept of componential workflow automation.

A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.

While threat intelligence can transform an organization's security posture, it can be complex and costly for organizations to adopt and operationalize. With that in mind, SANS Analyst Dave Shackleford tested CrowdStrike Falcon X, which purportedly enables cybersecurity teams to automatically analyze malware found on endpoints, find related threats and enrich the results with customized threat intelligence. This review encapsulates his findings, and details how the solution can help SOC teams.

A new SANS survey indicates that fewer than half (46%) of survey respondents are confronting security risks up front in requirements and service design in 2018--and only half of respondents are fixing major vulnerabilities. This report chronicles how security practitioners are managing the collaborative, agile nature of DevOps and weave it seamlessly into the development process.

A new SANS survey finds that incident response (IR) teams are stanching serious data breaches faster in 2018--but they haven't managed to improve on a major hurdle that they reported in 2017: visibility into incidents. This report explores how organizations have structured their incident response functions, what systems they are conducting investigations on, and how they're uncovering threats.

Yesterday's defense mechanisms--such as tokens, one-time passwords and even fingerprint readers--are not adequately protecting our devices, data and networks. SANS author and DFIR expert Matt Bromiley examined a relatively new authentication method, behavioral biometrics, as implemented in a product from BehavioSec. This SANS Product Review chronicles Matts experience as he put BehavioSec's product through the paces, and it explores what behavioral biometrics is, how it works and the role it plays in authentication.

Once attackers compromise a network, they attempt to maintain a persistent presence in the network and focus on data access and exfiltration. Such east-west attacks can be challenging to detect and remediate. SANS reviewed ExtraHop Networks Reveal(x) network traffic analysis platform, which aims to address the east-west challenge. Read on to learn more.

The benefits derived from information technology (IT) and operational technology (OT) convergence are enabling more effective management of contemporary control systems. However, the unique challenges of IT/OT convergence make managing and securing an industrial control system (ICS) more difficult. This paper explores how industrial and information system administrators can build stronger cybersecurity programs to protect IT/OT systems.

Our third survey on threat hunting looks at the maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden. Read this report to learn how survey respondents answered questions that are immediately important to organizations conducting threat hunting.

Next-generation endpoint security (NGES) strives to combine prevention, detection, response and IT operations into a single platform, allowing for the consolidation of the endpoint footprint while substantially increasing endpoint protection. For those ready to replace their traditional antivirus with NGES, SANS has developed this evaluation guide for assessing NGES tools against your organization's requirements before making capital investments in NGES.

Almost every day it seems like the press is reporting on yet another security breach. Some breaches expose sensitive business and customer information, while others bring down business operations. But breaches are not inevitable. By implementing security processes and controls to proactively identify and remove or mitigate vulnerabilities, today’s companies, even those with limited staff and budgets, can avoid or limit business damage by prioritizing security efforts.

This paper addresses the concepts of security automation and integration and provides recommendations on how to use technology to make your team faster and more efficient. It not only emphasizes the need for security automation and integration, but also shows how they are enhancements to, rather than replacements for, a security program.

You must secure what you cannot see. But how? Take the first step: Recognize the various pieces. Then you'll see how IT asset inventory can, and should be, one of the most useful tools for the security team in identifying and addressing security concerns.

Although SOCs are maturing, staffing and retention issues continue to vex critical SOC support functions. In this paper, learn how respondents to our 2018 SOC survey are staffing their SOCs, the value of cloud-based services to augment staff and technology, and respondents' level of satisfaction with the architectures they've deployed.

In this paper, we review the challenges in dealing with complex, ever-changing environments and offer suggestions and recommendations in effective endpoint management. Additionally, we discuss enterprise security as it relates to endpoint management and examine the benefits of integrating endpoint management into your security posture.

To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? And how do you get it? This paper will help you define visibility for effective security and understand why visibility it is key to determining your exposure and potential vulnerabilities.

While many of the core concepts of vulnerability and threat management remain the same in the world of cloud deployments, we need to adapt our thinking to operate in a hybrid or public cloud deployment model. This paper will help you evaluate cloud vulnerabilities and threat management, and protect your data and assets in a dynamic cloud infrastructure.

SANS reviewed Cybereason's AI hunting platform, which offers a lightweight, behavior-focused model of host-based protection that can help intrusion analysis and investigations teams more rapidly and efficiently prevent, detect and analyze malicious behavior in their environments.

IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.

When security incidents occur, law enforcement needs forensic information in hours, not days. The new features in EnCase Forensic 8 purport to assist investigators in gathering and analyzing key data in a more efficient manner. Learn more in this product review of EnCase Forensic 8.

As more midsize organizations move into the cloud, security professionals may wonder why cloud security seems difficult. More than likely, the real security challenge is the perceived loss of control. Numerous security best practices plus improved security products and services now exist. This short paper takes a look at some of the key elements and best practices for midsize enterprises looking to ensure security in their cloud implementations.

The increased use of IoT devices on business networks presents an growing challenge to security, and printers are an especially overlooked device from a security perspective. This paper examines specific attack areas for IoT devices, particularly printers, including data, management, monitoring and reporting, and make recommendations for protecting against various attacks.

Respondents have a vested interest in improving visibility, detection and response through more automated, integrated endpoint protection, detection and response technologies. In this survey, 84% of endpoint breaches included more than one endpoint. Desktops, laptops, server endpoints, endpoints in the cloud, SCADA and other IIoT devices are being caught in the dragnet of multi-endpoint breaches. Read on for more detail, best practices and advice.

File integrity is at the heart of maintaining a secure cyber profile. But cyber security must also protect system integrity--the state of the infrastructure (encompassing applications, endpoints and networks) where intended functions must not be degraded or impaired by other changes or disruptions to its environments. This SANS Spotlight explores how cyber integrity weaves people, processes and technology together into a holistic framework that guards the modern enterprise against changes, whether authorized or unauthorized, that weaken security and destabilize operations.

In a recent SANS survey, approximately 35 percent of respondents said their greatest impediment is a skills gap in their IT environments. With that in mind, we reviewed RSA NetWitness Platform, a solution that aims to bridge the human skills gap via machine learning and analytics. This review focuses on RSA NetWitness Platform and examines different views, from responding to an incident to performing an investigation and drilling down to see an activity in real time.

SANS surveys and testimonials from IT and security professionals indicate that endpoint security is a challenge. There is too much complexity and cost, defenses aren't keeping up, and security staff is stretched thin. This infographic explores how cloud can help address these issues.

Overworked and understaffed IT security teams are trying to integrate threat intelligence into their detection, response, and protection processes -- but not very successfully. IT teams need fewer intelligence alerts and more visibility into external threats that matter to their enterprises. SANS Analyst Sonny Sarai discusses his experience reviewing IntSights' Enterprise Threat Intelligence and Mitigation Platform under simulated attack, detection, and remediation scenarios.

Post-breach investigations reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. This paper explores how Version 7.0 of the Center for Internet Security (CIS) Critical Security Controls addresses the current threat landscape, emerging technologies and tools, and changing mission and business requirements around security.

In this product review conducted by SANS instructor Serge Borso, we learned that BreakingPoint is more than just a network testing tool. BreakingPoint provides a unique solution that enables security assessment, vendor selection and change management. It integrates well and is easy to use. We believe the tool has great value to the security community and specifically larger enterprises in the midst of infrastructure updates and those optimizing information security programs.

This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.

The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.

Sophisticated malware is the new weapon of choice for criminals and nation states. A multilayered self-defending security solution--agnostic to operating systems, mitigating malware in real-time, enabling pre- and post-execution--is needed to defend against cyber attacks. In this review, SANS Instructor and Analyst Dave Shackleford tests enSilo's response against advanced malware and ransomware threats and explores how enSilo's features can alleviate burden on security staff.

With the increasing prevalence of security incidents, security teams are learning quickly that the endpoint is involved in almost every targeted attack. EnCase Endpoint Security aims to help security teams focus on the most critical incidents and avoid costly data breaches. In this review, SANS analyst Jake Williams shares his tests of EnCase Endpoint Security version 6.02 and how it performs.

In our hands-on testing, we found that VMRay Analyzer's agentless approach to malware analysis is an effective way to provide rapid incident response. VMRay bridges the gap between an easy-to-use interface and back-end technology that provides a novel platform for analyzing advanced threats.

In this product review, we explored the recently released LogRhythm CloudAI, which applies user and entity behaviour analytics (UEBA) capabilities to enhance traditional event management and security analytics toolsets to monitor behaviors tracked over time, alerting analysts to unusual events or patterns of events.

New exploits aimed at Linux systems are able to succeed by achieving root access to the OS. But what if you could lock down the OS and enforce security policies from outside of it? This Spotlight Paper explores the concept of ‘immutability’ as a way of interdicting the Linux kill chain.

The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.

The Domain Name System, or DNS, is crucial to billions of Internet users daily, but it comes with issues that organizations must be aware of. Attackers are abusing DNS to conduct attacks that bring businesses to their knees. Fortunately, with the right detection and analysis mechanisms in place, security teams can turn DNS vulnerabilities into enterprise assets.

With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.

This updated version of the 2016 paper that included the SANS guide to evaluating next-generation antivirus provides the background information organizations need to assist them in their efforts to procure next-generation antivirus. Review this document to establish your overall road map and help resolve any questions you may have on the procurement process after reading the companion piece: "SANS Step-by-Step Guide for Procuring Next-Generation Antivirus".

This document is a standalone RFP for selecting a next-generation antivirus (NGAV) solution. For more information on how to procure NGAV, be sure to access the Step by Step Guide for Procuring Next-Generation Antivirus.

Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.

It is important that IT departments leverage automated analytics and machine learning solutions that connect the dots between seemingly random events and provide much-needed context, visibility and actionable advice. In this paper, we explain how to utilize and integrate analytics and machine learning to reduce the load on security professionals, while increasing visibility and accurately predicting attackers' next steps.

Agile teams deliver working software every few weeks. High-speed cross-functional DevOps teams push software changes directly to production multiple times each day. Organizations are taking advantage of cloud platforms and on-demand services, containerization, and automated build and continuous delivery pipelines. All of this radically changes how development teams—and their security/risk management teams—think and work. Read on to learn more.

Network forensics is its own specialized field that often introduces complex protocols, jargon, and analysis techniques that are potentially confusing to practitioners. But particular artifacts can be leveraged to determine the attack sequence and to offer a more complete picture of the breach.
In this white paper, SANS analyst and instructor Matt Bromiley examines the power of network forensics and why it should be incorporated into all incident response investigations.

In this paper we focus narrowly on the impact of application security on the end-to-end software development value chain. We also look at ways to identify and balance cost and risk to help you decide which tools and practices are most practical and cost effective for your organization.

In today’s threat landscape, organizations wanting to shore up their defenses need endpoint tools that not only detect, alert and prevent malware and malware-less attacks, but also provide defenders a road map of the systems and pathways attackers took advantage of.
Our review shows that Carbon Black’s Cb Defense does all this and more with a high degree of intelligence and analytics. Utilizing a cloud-based delivery system, it makes informed decisions on subtle user and system behaviors that we wouldn’t otherwise see with traditional antivirus tools.
Importantly, it saved us time: Manual correlation and false positives are among the top 10 time-consuming tasks IT professionals hate, according to a recent article in Dark Reading.2 Rather than toggling between separate security systems, tra c logs and so on, we used a single cloud interface—through drill-down and pivot—to determine whether a threat was a false positive or real.

Securing a web apps across its lifecycle is fundamentally different than securing an app born inside a secure perimeter. The selection of tools designed to scan running applications is more complex and challenging select than are conventional tools as the threat these are designed to counter is also more intensive and more pervasive. This makes the choice of tool critical. We walk you through the various parameters involved in the decision-making process in this paper.

Ransomware, insider threat and denial of service are considered the top threats to sensitive data by respondents to the 2017 SANS Data Protection Survey. User credentials and privileged accounts represented the most common data types involved in these breaches reported in the survey, spotlighting the fact that access data is prized by attackers. The experiences of respondents with compromised data provide valuable lessons for security professionals.

WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Contextual Capture, a key feature of the WireX Network Forensics Platform, is designed to turn every SOC member into a valuable analyst by providing easy-to-use forensics history (for periods of months) using a unique and intuitive query interface. WireX NFP also creates investigation workflows that can be used by the entire security team to accelerate alert validation and incident response.

Endpoints-and the users behind them-are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats, according to the 2017 SANS Threat Landscape survey. Read on for more detail on the types of attacks occurring and their impact on organizations and their security.

It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage.
This survey highlights the importance of managing internal threats as the key to winning at cyber security.

As cloud computing services evolve, the cloud opens up entirely new ways for potential attacks. This paper explores the potential security challenges enterprises face as they migrate to any kind of cloud setup and offers guidance to ensure a smooth migration to new solutions.

We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners. Our mission is to turn these inputs into actionable intelligence to support new developments and address trends in the field to inform the crucial business decisions. Here we report on these trends and other changes that make active use of ICS as a core enabler for business imperatives and provide actionable advice for today's security practitioners.

Failure to meet legal and political expectations for data security can expose your enterprise to fines, lawsuits, negative publicity and regulatory investigations. These expectations are rapidly evolving across the world, making it difficult for enterprises to effectively protect their brands. This white paper reveals the major steps a large, multinational enterprise can take to assure the public, authorities and business partners that it is behaving responsibly and is on a commendable path of compliance.

Today's increasingly dynamic cloud environments present new challenges to security practitioners. With security talent in short supply, tailoring old policy-and-logs approaches to the needs of an organization can require time and resources it just doesn't have. In this review, SANS analyst and instructor Matt Bromiley shares his experience using Lacework's new Zero Touch Cloud Workload Security Platform to mitigate these challenges.

Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.

Overall, the results of 2017 Incident Response survey were very promising. Organizations are building IR teams that suit their environments and their unique set of issues. Malware still looms as the root cause of a large majority of incidents; and IR teams still suffer from a shortage of skilled staff, lack of ownership and business silo issues. Read on to examine the results of the survey and guidelines and feedback to spur improvements.

The growth in custom applications in the cloud has increased organizations' security exposure. Although more organizations want to test and remediate during development, this doesn't address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.

The cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.

Network infrastructure is the key business asset for organizations that depend on geographically dispersed data centers and cloud computing for their critical line-of-business applications. Consistent performance across links and between locations must be maintained to ensure timely access to data, enabling real-time results for decision making. The following pages provide guidance on how to approach common challenges faced by both the network and security operational teams in managing interrelated security and performance problems.

The primary strengths of security operations centers (SOCs) are flexibility and adaptability, while their biggest weakness is lack of visibility. Survey results indicate a need for more automation across the prevention, detection and response functions. There are opportunities to improve security operations, starting with coordination with IT operations. SOCs can improve their understanding how to serve the organization more effectively and their use of metrics.

Why are our traditional email and endpoint security tools failing us? First, most email deployments lack any authentication of outside senders. Given this vulnerability, it’s trivial to execute spoo ng and falsi ed email content that purports to come from a trusted entity the recipient knows and trusts. Second, attackers are using cloud-based email and “detection-busting” techniques such as fake identities, deceptive sender names and phony domains to beat defenses.
Clearly, given the prevalence of email-borne threats, protecting email infrastructure and end users needs to be a high priority for all security teams today. To this end, SANS had the opportunity to review Agari Enterprise Protect and the Agari Email Trust Platform.

Deception is an effective defense against targeted attacks that leverages a false map of cyber assets to boost the odds of finding an adversary early and mitigate overall damage. The adversary is tricked into a cyber rabbit hole of fake systems with fake libraries and DNS servers, counteracting the attacker's every move. In this review, SANS Fellow Eric Cole recounts his review of illusive networks' deception and protection capabilities to show cyber deception in action.

Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.

Are the prevention, detection, response and prediction functional groups operating in unison with shared data and workflow, or are they remaining true to the tradition of operational silos in most technology groups? In this survey, we analyze satisfaction with staffing levels, tools and management-support architectures to help provide best practices and guidance for IT security practitioners.

Just how scalable, fast and accurate are SIEM tools when under load? To find out, we put the LogRhythm 7.2 Threat Lifecycle Management Platform to the test. We found that its clustered Elasticsearch indexing layer supported large log volumes of security and event data during simulated events that would require investigation and remediation.

Security Operations Centers are increasingly important in today's enterprises - they protect against intrusions, damaging DDoS attacks and data security breaches, as well as help with investigation and remediation. But how can midsize enterprises get the same SOC advantages as their large enterprise peers?

This paper explores how Arctic Wolf Networks' CyberSOC can help midsize organizations roll out a SOC-as-a-Service, thereby leveraging the benefits of a SOC without the high costs of a DIY solution.

Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year.
Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage.
Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things.
Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations.
This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.

This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.

Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as limited management support. Those challenges indicate a need for more training and easier, more intuitive tools and processes to support the use of CTI in today's networks. These and other trends and best practices are covered in this report.

The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.

Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.

The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types--web applications, mobile applications, internal web services and so forth--are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.

DevSecOps, at heart, is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud. To help the shift toward a more collaborative culture, security teams need to integrate with the developers who are promoting code to cloud-based applications to show they can bring quality conditions to bear on any production code push without slowing the process. Security teams should also work with QA and development to define the key qualifiers and parameters that need to be met before any code can be promoted.
This paper also has an additional resource titled, "DevSecOps Transformation: The New DNA of Agile Business". The resource can be accessed by clicking this link.

The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.

Rather than a lack of choices in security solutions, a major problem in cyber security is an inability to implement mature processes - many organizations lack a defined and repeatable process for selecting, implementing and monitoring the security controls that are most effective against real-world threats. This paper explores how the Center for Internet Security (CIS) Critical Security Controls has proven to be an effective framework for addressing that problem.

The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure.
In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.

This paper serves as a how-to for organizations in various stages of implementing the controls and offers two real-world examples of CIS Control adoption. The case studies are based on real-time interviews with the people behind the efforts and includes the security environments before the implementation, the challenges experienced in adopting the controls and the benefits they’ve experienced.

With more traffic than ever passing through our environments, and adversaries who know how to blend in, network security analysts need all the help they can get. At the same time, data is leaking out of our environments right under our noses. This paper investigates how LogRhythm’s Network Monitor Freemium (NetMon Freemium) Version 3.2.3 provides intelligent monitoring, and helps organizations to identify sensitive data leaving the network and to respond when loss occurs.

Survey respondents have become more aware of the value of analytics and have moved beyond using them simply for detection and response to using them to measure and aid in improving their overall risk posture. Still, we’ve got a long way to go before analytics truly progresses in many security organizations. Read on to learn more.

As breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional perimeter defense to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. This report looks at how and why insider attacks occur and their implications.

Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.

Effective security is all about the quality of the solution, not the quantity of products. Indeed, buying more products can make the problem worse. All of the major breaches over the last several years have had one thing in common: Multiple products were issuing alerts, but there were too many alerts and not enough people charged with monitoring and responding to them. When that is the case, putting more products in place spreads current resources even thinner--the problem gets worse, not better. This paper explains the advantages of an integrated defense-in-depth approach to security and looks at how Forcepoint's integrated solution suite meets the needs of such an approach.

Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn’t mean that antivirus is “dead.” Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.

In this paper we look at the challenges in securing ICS environments and recommendations for effective ICS security. OT cyber security is a relatively young field with few experts, but a great deal can be judiciously drawn from IT experience. The fundamentals are the same: controlling access to devices and applications; monitoring networks to identify potential issues and direct appropriate responsive action; oversight and periodic reviews of controls and their effectiveness; securing the supply chain; and securing the human factor through awareness training. It is in the design and application of these basics to the particular considerations and technical nature of control systems and process control networks (PCNs) that things diverge the most, and it is here that we will focus.

To security professionals, the need for an effective SOC is obvious. But to organizational management, security is just one of many groups asking for financial and personnel resources. Security leaders who simply promise management that a SOC will provide better security or help the company avoid attacks won’t get very far. The security team must define and communicate the business benefits of investing in, establishing and optimizing a SOC over the long term.

The financial services industry is under a barrage of ransomware and spearphishing attacks that are rising dramatically. These top two attack vectors rely on the user to click something. Organizations enlist email security monitoring, enhanced security awareness training, endpoint detection and response, and firewalls/IDS/IPS to identify, stop and remediate threats. Yet, their preparedness to defend against attacks isn’t showing much improvement. Read on to learn more.

Despite risk that is higher than more controlled on-premises traditional non-cloud systems, this survey found that almost a quarter of respondents (24%) are in organizations adopting a “cloud first” strategy. Using public cloud or on-premises applications as appropriate led the way, chosen by 46% of respondents, and 30% of respondents said they prefer on-premises applications. Read on to learn more about the state of cloud security and what we need to do to improve it.

Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?

Security data is everywhere—in our logs, feeds from security devices (IDS/IPS/ rewalls, whitelists, etc.), network and endpoint systems, anomaly reports, access records, network tra c data, security incident and event monitoring (SIEM) systems, and even in applications hosted in the cloud. All of this data—and the processes that use them— combine to form an organization’s security intelligence ecosystem.
The major challenge of managing this ecosystem of security data is tying all these
bits of data together and automating their correlation and use, with the goal of faster detection, prevention, continued security improvement and ultimately, reduced risk.1 The key to success is through automation and integration, according to the CIS Critical Security Controls, which is now in version 6.

In today’s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today’s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.

Despite the potential costs, legal consequences and other negative outcomes of data breaches, they continue to happen. A new SANS Institute survey looks at the preventive aspect of breaches – and what security and IT practitioners actually are, or are not, implementing for prevention.

When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.

Traditional endpoint protection such as antivirus, while effective in some cases, is
no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys.

The endpoint is rapidly evolving and often the first vector of attack into enterprises, according to the SANS 2016 State of Endpoint Security Survey. As such, all endpoints should be considered potentially hostile.

Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.

It’s 2016, and the attacks (and attackers) continue to be more brazen than ever. In this threat landscape, the use of cyber threat intelligence (CTI) is becoming more important to IT security and response teams than ever before. This paper provides survey results along with advice and best practices for getting the most out of CTI.

The perfect storm it is upon us: Users with their many devices are falling victim to phishing and ransomware at alarming rates, with user actions at the endpoint representing the most common entry points allowing threats into organizations. Results reveal that ransomware, which spreads by phishing and web downloads, is the No. 1 type of malware making its way into organizations. Read on to learn more.

The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on …

Organizations trying to balance the risk of data breaches against the inconvenience, latency and cost of encrypting every bit of valuable data often balk at the trade-off. But with the volume of digital data growing and computing environments becoming more complex and accessible, the ratio of cost to benefit has improved and encryption is now far more common in organizations that rely heavily on Internet- or cloud-connected applications for significant business functions.

To see how serious a threat the misuse of privileged credentials represents, look no further than the astonishing scope of the breach discovered in 2015 at the United States Office of Personnel Management (OPM). To realize how often similar threats become real, look no further than the 2016 Verizon Data Breach Incident Report (DBIR), which found that privilege misuse was the second-most frequent cause of security incidents and the fourth-most common cause of breaches.

Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.

Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.

Results of the 2016 Incident Response Survey indicate that the IR landscape is ever changing. Advanced industries are able to maintain effective IR teams, but as shown in this report, there are still hurdles to jump to increase the efficiency of many IR teams. Read this report to learn more.

Survey results reveal that it is critical for an overall enterprise security program to coordinate efforts among developers, architects and system administrators—particularly since many software vulnerabilities are rooted in configuration issues or third-party components, not just in code written by the development team. Read on to learn more.

Nearly 86% of organizations responding to the survey want to be doing the hunting, albeit informally, as more than 40% do not have a formal threat hunting program in place. Results indicate that hunting is providing benefits, including finding previously undetected threats, reducing attack surfaces and enhancing the speed and accuracy of response by using threat hunting. They also suggest that organizations want to improve their threat-hunting programs and realize more benefits from threat hunting.

The survey results show that although conventional devices such as desktops and servers represent the largest segment of endpoints connected to the network, the variety of endpoints is growing quickly. Read this survey results paper for insight into endpoint management strategies and processes.

In this paper, we’ll look at the first steps in measuring your AppSec program, starting with how to use metrics to understand what is working and where you need to improve, to identify and solve problems, and to build a case for making further investments in your program. Ultimately, the goal is to make AppSec part of the organization’s culture, and ensure it’s relevant to business units and meaningful to executives.

Enterprise computing is going through a major transformation of infrastructure and
IT delivery models, one that is at least as disruptive as the move from mainframe computing to client/server (Internet) architectures. With client/server architectures,
the change in hardware was the most obvious difference, but the more meaningful transformation was IT organizations’ new ability to build custom systems and software much more quickly, with far greater flexibility and at lower cost than had been possible during the mainframe era.

The chances are very high that hidden threats are already in your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity.

The ubiquitous use of mobile devices results in a mixture of corporate and personal data stored on devices that are online continuously, seamlessly connecting to the closest available network, downloading and uploading data whenever possible, and carried with users continuously. This trend has radically changed the landscape of data protection.

The pace and sophistication of data breaches is growing all the time. Anyone with valuable secrets can be a target, and likely already is. According to the Privacy Rights Clearinghouse, at the time of this writing, 884,903,517 records were breached in 4,621 incidents documented since 2005. This number is just an estimate based on publicly disclosed and well-documented incidents; the real number is likely much higher. According to data available from datalossdb.org, the size of the major breaches over the past several years has grown significantly.

This paper assumes security budgeting occurs as part of each organization's yearly cost management cycle. Readers will explore the what, why, where and how of IT security spending and will get advice on how to better meet the challenge of aligning security spending processes with organizational needs.

Read this report to explore the factors that influence the financial impact on the organization in the post-breach environment: forensic analysis, system repair and data recovery, legal and insurance considerations, additional controls, customer support and losses to brand and reputation.

Although we have made progress in the use of analytics and intelligence, the latest SANS Security Analytics survey shows 26 percent of respondents feel they still cant understand and baseline normal behavior in their IT environments, with a majority citing a lack of people and dedicated resources as an impediment.

A review by Dave Shackleford of HPEs TippingPoint 2600NX IPS and its management platform.
It examines the device's analytic and operational features and discusses the integration
of such devices with security information and event management (SIEM) systems as wells as
external threat information.

Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience 'small' breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions.

A SANS Analyst Program whitepaper by Barb Filkins. It discusses how the Critical Security
Controlscoupled with good configuration management processescan support the effort
required to avoid the risks inherent to SSH.

Although survey results indicate slow and steady progress in the use of analytics and intelligence, most analytics programs lack maturity. Read this survey to understand what is missing and learn where most organizations plan to invest funds to drive improvement.

This report offers an analysis of the survey findings and recommendations for improving practices. It also offers a definition of what a mature program should look like now and in the future. The goal, ultimately, is to provide a metric by which organizations can gauge their own progress in an objective way.

As organizations' data centers become more dynamic and the need to scale quickly in complex architectures grows, security will need to adapt accordingly. Read this survey results paper to learn the challenges hybrid data centers face, along with some of the steps you can take to update current practices to enhance security for the dynamic data centers in use today.

An Analyst Program whitepaper by Dr. Eric Cole. It defines the process of automating the
hunt for threats, and discusses how to deploy a continuous threat-hunting process while
preparing a team to analyze threats to protect critical processes and data.

Survey results indicate a strong need to keep security close to the data as it traverses cloud systems. Findings also indicate a need to integrate monitoring capabilities across hybrid environments and partnership with public cloud providers for full-spectrum visibility and response. Learn more by in this survey report focusing on cloud security.

By some estimates, up to 80% of breaches may originate in the supply chain. Read this paper to get some guidance on best practices to protect your organization from vulnerabilities introduced by your vendors and suppliers.

With the rapidly changing risk environment, those assigned to protect their organizations must be agile in adapting technology to meet the challenges presented to them. Read this paper to learn what leading incident response practices are doing, and what they plan for the future.

A review by SANS analyst and instructor Dave Shackleford of Raytheon|Websense SureView Insider Threat. It discusses the product's ability to assist security teams in their efforts to mitigate the threats posed by trusted insiders.

Survey results reveal an increasingly complex response landscape and the need for automation of processes and services to provide both visibility across systems and best avenues of remediation. Read this paper for coverage of these issues, along with best practices and sage advice.

A SANS Analyst Program whitepaper by J. Michael Butler. It discusses how properly focused
observation and tracking efforts provide intelligence from inside
the enterprise by monitoring for indicators of compromise such as odd point-in-time
activities on the network, unusual machine-to-machine communications, outbound transfers,
connection requests and many other suspicious activities.

The rewards that big data can bring are widely recognized: scientific insight, competitive intelligence and improved fraud detection, as well as the benefits derived from sophisticated analyses of vast sets of transactional and behavioral data.

Security flaws like Heartbleed, POODLE, BEAST and a series of high-profile certificate thefts and misappropriations have shaken public confidence in "secure" SSL/TLS certificates. It is possible for organizations to safeguard themselves and retain most of the benefits of using the web's most common authentication system, however, as long as they're rigorous about setting and enforcing the right policies on who do trust among many questionable nodes in the global network of trust.

An Analyst Program whitepaper written by Byron Acohido. It discusses various security
maturity models and how organizations can use them to improve their defense posture while
reducing the time needed to respond to incidents and contain the damage.

Read the results of the 2015 Endpoint Security Survey to find out whether organizations assume risk, whether their perimeter defenses protect their endpoints, how much progress we are making on automation, how long it takes to remediate each compromised endpoint, and much more.

A SANS Analyst Program review by Jacob Williams. This webcast will explore the relative
capabilities and efficiencies of RASP and WAF technologies, and discuss a blind,
vendor-anonymous review of a representative product in each category.

A review of HP ArcSight Logger 6 by SANS analyst and instructor Dave Shackleford. It discusses the latest release of ArcSight Logger and its usefulness to security analysts who need to collect and monitor logs.

A SANS Analyst Program whitepaper written by Jaikumar Vijayan and advised by SANS Analyst
G. Mark Hardy. It discusses the state of enterprise mobility and the challenges posed to
information technology groups by the massive influx of personal and corporate-owned mobile
devices in the workplace in recent years.

A SANS Analyst Program infographic based on the whitepaper, Enabling Large-Scale Mobility
with Security from the Ground Up. It offers a graphical interpretation of the paper's keytakeaways and supplemental data.

With the right resources in place, attackers can be detected more accurately and efficiently, mitigating damage and data loss from inevitable network attacks. This paper presents a proper process and procedure for incident response that includes the use of automation tools.

In the last several years, we've seen a disturbing trend-attackers are innovating much faster than defenders are. We've seen the "commercialization" of malware, with attack kits available on underground forums for anyone who wants to perpetrate a variety of attacks.

An updated SANS Analyst Program whitepaper. It covers the essentials of applying NAC to secure guest networking, as well as leveraging NAC for BYOD (Bring Your Own Device) and CYOD (Choose Your Own Device) situations and ensuring endpoint compliance with network policy.

The last year has seen scores of point of sale (POS) systems compromised by bad actors. In many cases, these environments were PCI-DSS compliant at the time of compromise. Executives seeking to protect their organizations and POS systems from compromise need to look beyond PCI-DSS and adopt a proactive "offense must inform defense" approach to POS security.

Internet traffic is severely affected when critical DNS services are not reliable or are compromised by cyber attacks. However, DNS services can be secured with the right configuration and deployment of appropriate solutions.

By preparing a careful plan and resilient response infrastructure before an attack, organizations can limit both data loss and the reactive, post-incident expenses. The result: greatly reduced impact and costs associated with events.

Learn how organizations are tackling the difficult problem of data center security, explore their best practices and consider improvements needed for data centers to meet compliance demands while reducing overall risk and management complexity.

A review of Rapid7 UserInsight by SANS senior analyst Jerry Shenk. It discusses a tool that highlights user credential misuse while tracking endpoint system details that would be valuable to an incident response team.

A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.

Using the results of the 2014 Log Management Survey, this paper identifies strengths and weaknesses in log management systems and practices, and provides advice for improving visibility across systems with proper log collection, normalization and analysis.

This SANS survey report explores how widely the CSCs are being adopted, as well as what challenges adopters are facing in terms of implementation of the controls and what they are looking for to improve their implementation practices.

A review of Oracle Advanced Security for Oracle Database 12c by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including transparent data encryption (TDE) and effortless redaction of sensitive data, that seamlessly protect data without any developer effort from unauthorized access.

Based on the valuable information they have at their disposal, law enforcement agencies are among those that are prime targets for advanced attacks. While network protection can be extensive and sophisticated, the exploitation of insiders poses a serious threat for illegal access to these agencies.

A spate of high-profile security breaches and attacks means that security practitioners find themselves thinking a lot about incident response. A new SANS incident response survey explores how practitioners are dealing with these numerous incidents and provides insight into incident response plans, attack histories, where organizations should focus their response efforts, and how to put all of the pieces together.

Security professionals in federal, state and local agencies face many unique challenges in protecting critical systems and information. The CDM program has tremendous potential for both increasing the security levels at those agencies and reducing the cost of demonstrating compliance. However, to be successful, the program must address the following: lack of awareness, low inspector general awareness and lack of information on how to use the program. For use of the program to result in better security, additional staffing and skills are needed, as are success stories to guide organizations attempting to implement CDM.

All attacks follow certain stages. By observing those stages during an attack progression and then creating immediate protections to block those attack methods, organizations can achieve a level of closed-loop intelligence that can block and protect across this attack kill chain.
This paper explains the many steps in the kill chain, along with how to detect unknown attacks by integrating intelligence into sensors and management consoles.

A review of McAfee Next Generation Firewall by SANS Analyst and Senior Instructor Dave Shackleford. It explores a number of the product's capabilities, including clustering and redundancy, numerous varieties of VPN access, policy options and features such as end-user identification and advanced anti-evasion tools

Paper describes the role of SSL, the role SSL decryption/inspection tools play in security, options for deploying inspection tools, and how the information generated by such inspection can be shared with other security monitoring systems.

Examination of how 2012 Saudi Aramco “spearphishing” attacks could have been thwarted with the help of a SIEM platform that combines the power of historical data with real-time data from network data sources and security policies.

Advice on what to expect from a next-generation firewall, features and business needs to consider, and a test methodology for IT and business professionals to use to enhance their investments in security through enhanced firewall capabilities.

How endpoint visibility, coordinated with network intelligence, can help identify threats not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators.

Examination of actual threats facing organizations today, methods dedicated attackers use to compromise systems using the “intrusion kill chain” as a model and specific defenses organizations can use to mitigate threat.

This paper reveals what NAC can do today, how it stacks up to many of the CSCs and what strategies are needed for successfully leveraging NAC to reduce risk, improve compliance and meet the key automation and integration requisites cited in the controls.

Whitepaper breaks down the foundations of a virtual infrastructure, examines pros and cons of security tools and controls available for risk layers, present the pros and cons of different approaches, and looks at new technology to implement protection models in virtual and cloud-based data centers.

Content management policies must adapt to the mobile user and the cloud, provide protection to information being accessed and processed, look at the context in which it is used and validate compliance.

Review of Oracle Identity Manager (OIM) 11g R2, an enterprise IAM product that offers end users a personalized experience through a friendly interface, while managing workflow approvals and executing changes at both the user and administrator levels.

This paper explores threats to data center servers, along with key security controls required to electively protect them, and reviews how the McAfee portfolio of server products aligns with these controls.

Paper shows how to use secure configuration concepts to reduce the overall attack surface, bring better coordination among groups within IT and elsewhere, and ultimately reduce the risk to your business by continuously improving the IT environment.

A study of four common infrastructures (agriculture and food, transportation, water and wastewater, and physical facilities) demonstrates what vulnerabilities could be found in specific control systems and how they might be exploited and protected.

This paper discusses the difference between IDM and EAM and explains how these two enterprise functions can work together for better control of access to operating systems, applications and related data.

This paper looks at software development from both the security and development perspectives, and then evaluates what tools and techniques can help integrate security into development cycles without slowing down the process or
creating too much overhead.

Review of Oracle Database Vault with Oracle Database Enterprise Edition 11g Release 2demonstrates strong performance, while making it easy to add, change and modify rules and groups. as well as gain visibility into user activity through a variety of audit and compliance reports available through the Oracle Database Vault application.

This paper explores current threats today’s networks face that impact monitoring capabilities, the types of gaps that exist in many current monitoring architectures, and ways that network and security monitoring can be improved through advances in trafﬁc capture and delivery technologies such as intelligent distributed taps.

Survey makes it clear that network security personnel are not consistent about validating the resiliency – performance, security, and stability – of the devices and systems that go into their network and data center infrastructures.

This paper discusses advantages and disadvantages of RBAC, along with options to consider when planning to extend RBAC to allow for centralization and standardization in a heterogeneous environment of multiple, diverse operating systems.

This paper discusses techniques attackers use to exploit missing insider controls and offers a cohesive set of cyber, operational and physical controls to manage a range of user access types for better security and compliance in utility control environments.

This paper discusses what’s new and what still needs more attention in the PCI DSS 2.0 standard, including gaps in storage encryption, wireless networking, and physical security that carry over from version 1.2.

Annual log management survey on how organizations collect and use their logs; what they aren’t currently using their log for but would like to; what they see as the biggest problems; and the impact Log Management issues have on small- and mid-sized businesses.

A guide to the virtualization hardening guides that includes key configuration and system security settings for VMware ESX and vSphere/Virtual Infrastructure with key control areas organizations need to consider.

This paper explores some of the types of insider threat organizations face today and discusses monitoring and managing privileged user actions and the role this level of monitoring plays in today's compliance reporting efforts.

This paper is a review of the stand-alone Sentinel Log Manager and how it stands up to key concerns that survey respondents raised about log managers, including collection, storage and searching/reporting capabilities.

Whitelisting provides a lighter means to protect end points, is useful for securing legacy applications and systems, as well as embedded systems and kiosks, and a helpful addition for any robust end point security plan.

This paper explores practical security issues that can arise when virtualization technologies are deployed without proper planning and controls and offers advice on how to avoid making mistakes in critical areas of deployment and management.

With security actions based on context, intrusion systems can adapt to real-time threats like these while giving visibility into what to investigate, where to investigate, and even take or recommend action based on preset rules.

An analysis of survey data to unlock how log data is being used successfully, key problems holding enterprises back from log management, what is needed from vendor community and how vendors are working to resolve issues.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.